Cl0p Exploits Oracle Zero-Day; Threat Actors Weaponize Legitimate Security Tools in Widespread Attacks

The NCSC's 2025 Annual Review, released on October 9, confirms a 129% surge in 'nationally significant' cyber incidents, rising to 204. In response to the escalating threat, the NCSC has launched a new 'Cyber Action Toolkit' specifically designed for small businesses and sole traders to bolster their defenses. NCSC Chief Executive Dr. Richard Horne emphasized that cybersecurity is now a fundamental component of business survival and national resilience. The report also details increased scrutiny, higher cyber insurance premiums, and heightened supply chain risk as key impacts for UK organizations.

Further analysis of the CVE-2025-61882 Oracle EBS zero-day reveals it is reportedly an SSRF issue escalating to RCE, affecting versions 12.2.3 through 12.2.14. The Clop group is also combining this zero-day with other previously patched vulnerabilities to maximize access. Oracle released an emergency patch on October 4, 2025, with the October 2023 Critical Patch Update as a prerequisite. New MITRE ATT&CK techniques identified include T1595.002 (Vulnerability Scanning), T1212 (Exploitation for Credential Access), T1041 (Exfiltration Over C2 Channel), and T1486 (Data Encrypted for Impact). A new observable */xmlpserver/* has also been identified for the BI Publisher component.

The Qilin ransomware group has escalated pressure on Asahi by posting samples of the stolen 27GB of data on their leak site, confirming the double extortion tactic. New technical details include specific cyber observables such as `powershell.exe -enc <base64_blob>` commands, `bitsadmin.exe` and `curl.exe` usage, and the `*.qilin` file extension. Enhanced detection strategies involve monitoring for data staging, analyzing PowerShell logs, and strict network egress monitoring. Mitigation advice now emphasizes offline backups, hardening public-facing services, and user training against phishing.